Which mobile application do you use to check the scores of your favorite games? If that's ESPN's ScoreCenter for iOS, then you have a problem, and it's called a "false feeling of security".

According to Zscaler, the application is not only transmitting the accounting data in plain-text, but is also susceptible to a XSS flaw, allowing the potential injection of active content.

A logical question emerges - what would an attacker do with your ESPN member account in case its gets compromised by a malicious party that's sniffing for passwords across insecure networks, and is the scenario I'm about to discuss feasible enough for a real world fraudulent operation?

In reality though, in 2013 these very same cybercriminals rely on much more efficient techniques for getting access to a prospective victim's PCs, and their accounting data, meaning that despite the fact that the application is lacking SSL support, unless you use the same email and password across multiple Web sites or have a vast social networking circle inside the portal, there's little to worry about except the "false feeling of security" provided to you by ESPN.

What can users do to protect against the "false feeling of security" offered to them by all of these mobile application developers?

Tunneling your traffic through a VPN, both, on your PC and your mobile when you're interacting with the Internet over a WiFi network, doesn't matter if it's secured or public one, is highly advisable. If your employer isn't providing you with one, consider finding a commercial alternative. Although the solution to this ongoing trend would be the successful SSL implementation within these application, the use of VPN mitigates a certain percentage of risk when using WiFi networks.

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community...
Full Bio